MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 62d3d9a1ea3239188f9735ab3959c8f336e0682cc868a446a53a876a51d44177. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 62d3d9a1ea3239188f9735ab3959c8f336e0682cc868a446a53a876a51d44177
SHA3-384 hash: 9d83338d89d56a284ec6f1707703757d8571553a9e0d86788342058faeb1f9ce5d57f40e5f6a867a1bd9ea8b7bafb42c
SHA1 hash: 4a518b962b15f61ad9528e424fc91e6c6f401f2d
MD5 hash: 82533af93c5f1cb75baec5ec6cde5759
humanhash: december-texas-spaghetti-september
File name:PO-2785838240681_from_wheel-tec-Netherland.exe
Download: download sample
File size:76'800 bytes
First seen:2022-10-12 14:50:45 UTC
Last seen:2022-10-18 07:26:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 192:qAdDyxkJdhyBJPE3o6nrAffJOthlebUEpzup1Xo:qAlyxk5yXsgffJOth8pzuf
Threatray 2'708 similar samples on MalwareBazaar
TLSH T1337308B9E2450336D9A74F32D09F3B4E032A9E596D229B4EC49C73B85EF33D2D640919
TrID 63.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 125ad212e9cd3682 (40 x AgentTesla, 21 x Loki, 19 x Heodo)
Reporter lowmal3
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
194
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/319424/
Detection(s):
SecuriteInfo.com.Win64.PWSX-gen.8080.9021.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/6346d4570d2bcf0ff9a2863a/reports/24c7f6c5-9943-4d81-9023-54dcde923e4f/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/8938c234-8485-4d34-9ab2-94838d46c931
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1088892
Signature
.NET source code contains potential unpacker
Encrypted powershell cmdline option found
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/62d3d9a1ea3239188f9735ab3959c8f336e0682cc868a446a53a876a51d44177/
Threat name:
ByteCode-MSIL.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-10-12 13:29:19 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
6
AV detection:
13 of 26 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mlj5tipkgi4rrd4xgwvtswoi6m3oa2bmzbukirvfhkdwuuouif3q._file
Verdict:
malicious
Similar samples:
0a869d139f509a45998437cb390ae80c9d5581bf615666e0535b0dd157f9e0aa
1c4c51643818307480c2436301dab98c4794812abb3e94df7b133450411b66e1
34dba85bb25c6589d0a5befe607e52b82a740402b92dbb5989797a523fb7561a
3a49316c65c2615a97b6169e7116b1fae7e163971065ae69484d803574cb586a
4bcabec27b62127148e5a986ab1d36d6485e686f03ab012d3631be04b82c29f5
57010882c49e6a6ec8fff4664eb8df03eb4cfb19d5ee32b3f973f03330e69cdd
8de88d3403aea70bfafb52711ae187b8abaadb60d87be9afbc5bdbe33bb51cdd
d7c9050d81903010ff6843bceea4331e45f15914ba721f20e01b1eedf33dff13
f31cd91440c409b5420f1952db0bd3eb158a6dd9b8a19d8328d7eea32c4f4928
+ 2'698 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/221012-r757nagbgl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads user/profile data of web browsers
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/25201813-d828-432c-a471-fd7fbb41a183
Unpacked files
SH256 hash:
62d3d9a1ea3239188f9735ab3959c8f336e0682cc868a446a53a876a51d44177
MD5 hash:
82533af93c5f1cb75baec5ec6cde5759
SHA1 hash:
4a518b962b15f61ad9528e424fc91e6c6f401f2d
Link:
https://www.unpac.me/results/3c394edd-f005-443d-8182-43cacdd3829d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.53
Link:
https://yomi.yoroi.company/submissions/62d3d9a1ea3239188f9735ab3959c8f336e0682cc868a446a53a876a51d44177

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe 62d3d9a1ea3239188f9735ab3959c8f336e0682cc868a446a53a876a51d44177

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/319424/

Comments